GHSA-H2VW-PH2C-JVWF OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.5, 2026.4.20 - Patched version: 2026.4.20 Impact A malicious workspace .env could set MINIMAXAPIHOST and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the...

kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace

Impact Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the initializingworkspaces virtual workspace to run arbitrary patches on the status field of LogicalCluster objects while the workspace is initializing. This allows to add or remove an...

PT-2020-15429 · Jenkins · Jenkins +1

Name of the Vulnerable Software and Affected Versions: Jenkins ZAP Pipeline Plugin versions 1.9 and earlier Jenkins versions prior to 2.228 excluding 2.227 and older, 2.204.5 and older, due to different security concerns Jenkins versions 2.228 through 2.230 Jenkins 2.222.x LTS versions Jenkins...